Asked by: Lord Taylor of Warwick (Non-affiliated - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what steps they are taking to support UK companies to improve cybersecurity.
Answered by Baroness Lloyd of Effra - Baroness in Waiting (HM Household) (Whip)
Improving the cyber security of UK companies is critical to the resilience of our wider economy and is a priority for the government.
The Cyber Security and Resilience Bill will improve UK cyber defences and help protect our essential services. Our product security legislation and cyber security codes of practice are helping to ensure the technology people and businesses use is secure by design. We are also developing and growing the cyber security industrial base and skills pipeline to ensure companies have access to the services and capabilities they need. Together these system-wide measures aim to drive a step change in supporting companies across the economy to improve their cyber resilience.
In addition, the government wrote to the Chairs and CEOs of leading UK companies and asked them to better identify and protect themselves from cyber threats by making cyber a board-level priority by using the Cyber Governance Code of Practice, signing up to the National Cyber Security Centre (NCSC) Early Warning service, and requiring Cyber Essentials in their supply chains.
These actions are relevant to all businesses. To support them further, the government has developed a wide range of free resources, including the Cyber Action Toolkit offering tailored advice for small businesses, and NCSC-certified Cyber Advisors who provide advice and guidance on commercial terms, with SMEs eligible for a free 30-minute consultation.
Asked by: Max Wilkinson (Liberal Democrat - Cheltenham)
Question to the Home Office:
To ask the Secretary of State for the Home Department, what steps her Department is taking to help ensure that data collected by live facial recognition technology cannot be accessed by foreign states.
Answered by Sarah Jones - Minister of State (Home Office)
Police use of live facial recognition (LFR) is governed by data protection legislation, which requires that any processing of biometric data is lawful, fair, proportionate and subject to appropriate safeguards.
The Home Office does not collect or store data generated through police use of LFR. Police forces act as data controllers for the operational use of the technology and are responsible for ensuring that data is stored and handled securely, in line with data protection law and established policing standards.
LFR systems used by the police must be procured and operated in accordance with UK law and national security requirements. Police procurement decisions are subject to procurement legislation and Cabinet Office guidance on supply‑chain and national security risk. This includes having regard to cyber security standards and advice from the National Cyber Security Centre, which supports public sector organisations in protecting systems and sensitive data from cyber threats, including risks associated with third‑party suppliers and foreign access.
Operational guidance on the use of LFR is set out in the College of Policing’s Authorised Professional Practice (APP). The APP is national guidance developed and maintained by the College, following engagement with policing practitioners and relevant stakeholders. It sets out best practice and legal standards for police forces, making clear that any use of LFR must be lawful, necessary and proportionate, and must comply with data protection, equality and human rights legislation.
The APP sits alongside the Surveillance Camera Code of Practice, issued by the Home Secretary, which provides statutory guidance on the responsible and transparent use of surveillance cameras including facial recognition.
Asked by: Max Wilkinson (Liberal Democrat - Cheltenham)
Question to the Home Office:
To ask the Secretary of State for the Home Department, if she will publish a list of stakeholders that ministers have met to develop a best practice guidance for the use of Live Facial Recognition technology by the police.
Answered by Sarah Jones - Minister of State (Home Office)
Police use of live facial recognition (LFR) is governed by data protection legislation, which requires that any processing of biometric data is lawful, fair, proportionate and subject to appropriate safeguards.
The Home Office does not collect or store data generated through police use of LFR. Police forces act as data controllers for the operational use of the technology and are responsible for ensuring that data is stored and handled securely, in line with data protection law and established policing standards.
LFR systems used by the police must be procured and operated in accordance with UK law and national security requirements. Police procurement decisions are subject to procurement legislation and Cabinet Office guidance on supply‑chain and national security risk. This includes having regard to cyber security standards and advice from the National Cyber Security Centre, which supports public sector organisations in protecting systems and sensitive data from cyber threats, including risks associated with third‑party suppliers and foreign access.
Operational guidance on the use of LFR is set out in the College of Policing’s Authorised Professional Practice (APP). The APP is national guidance developed and maintained by the College, following engagement with policing practitioners and relevant stakeholders. It sets out best practice and legal standards for police forces, making clear that any use of LFR must be lawful, necessary and proportionate, and must comply with data protection, equality and human rights legislation.
The APP sits alongside the Surveillance Camera Code of Practice, issued by the Home Secretary, which provides statutory guidance on the responsible and transparent use of surveillance cameras including facial recognition.
Asked by: Max Wilkinson (Liberal Democrat - Cheltenham)
Question to the Home Office:
To ask the Secretary of State for the Home Department, what steps her Department plans to take to ensure that data collected by live facial recognition will be stored safely.
Answered by Sarah Jones - Minister of State (Home Office)
Police use of live facial recognition (LFR) is governed by data protection legislation, which requires that any processing of biometric data is lawful, fair, proportionate and subject to appropriate safeguards.
The Home Office does not collect or store data generated through police use of LFR. Police forces act as data controllers for the operational use of the technology and are responsible for ensuring that data is stored and handled securely, in line with data protection law and established policing standards.
LFR systems used by the police must be procured and operated in accordance with UK law and national security requirements. Police procurement decisions are subject to procurement legislation and Cabinet Office guidance on supply‑chain and national security risk. This includes having regard to cyber security standards and advice from the National Cyber Security Centre, which supports public sector organisations in protecting systems and sensitive data from cyber threats, including risks associated with third‑party suppliers and foreign access.
Operational guidance on the use of LFR is set out in the College of Policing’s Authorised Professional Practice (APP). The APP is national guidance developed and maintained by the College, following engagement with policing practitioners and relevant stakeholders. It sets out best practice and legal standards for police forces, making clear that any use of LFR must be lawful, necessary and proportionate, and must comply with data protection, equality and human rights legislation.
The APP sits alongside the Surveillance Camera Code of Practice, issued by the Home Secretary, which provides statutory guidance on the responsible and transparent use of surveillance cameras including facial recognition.
Asked by: Neil Duncan-Jordan (Labour - Poole)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what safeguards have been considered in relation to Meta support for building AI systems for UK national security.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence (MOD) does not use services from Meta to build Artificial Intelligence (AI) systems for United Kingdom (UK) national security purposes.
Broader policy on the governance, assurance and oversight of the UK’s relationships with commercial AI developers, including any safeguarding expectations, sits with the Department for Science, Innovation and Technology (DSIT), which leads for Government on the regulation and safe development of AI technologies.
The MOD’s role is limited to ensuring that any AI technologies we adopt or develop follow our established Defence AI Strategy, our ethical principles for responsible AI in Defence as set out in our ‘Ambitious, Safe, Responsible’ policy document, and the security requirements set out in UK Government security classifications. These include robust technical; security and assurance measures appropriate to the sensitivity of MOD systems.
We continue to work closely with DSIT, the National Cyber Security Centre and other cross-Government partners to ensure any Defence use of AI is safe, secure and compliant with national policy.
Asked by: Martin Wrigley (Liberal Democrat - Newton Abbot)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what criteria his Department uses to assess requirements to rebuild underlying data analytics architecture, undertake fresh security accreditation and retrain personnel.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence (MOD) keeps its data analytics infrastructure, security assurance processes and workforce skills under continual review. Decisions to rebuild underlying data analytics architecture are based on whether current systems remain aligned with Defence's enterprise data principles, architectural standards (Exploitable by Design), resilience requirements, and operational needs.
The MOD has replaced accreditation with Secure by Design in line with National Cyber Security Centre guidance on assuring systems and services. The MOD's Cyber Security Design Authority provides a reliable, curated source of standards and policies to enable secure design.
Personnel are retrained when new tools, platforms or security standards are introduced, or when capability reviews identify changing skills requirements across Defence's digital and data workforce.
These processes ensure Defence maintains secure, resilient, and modern data capabilities that can effectively support Defence outcomes.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment she has made of the potential impact of the Cyber Security and Resilience (Network and Information Systems) Bill on the cyber resilience of energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what estimate her Department has made of the number of cyber attacks on energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment her Department has made of the potential merits of creating a cyber incident database with compulsory fixes to be created for energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.
Asked by: Saqib Bhatti (Conservative - Meriden and Solihull East)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment her Department has made of the risk of cyber attacks on energy infrastructure.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government's Cyber Security Breaches Survey shows that 43% of UK businesses reported experiencing a cyber breach or attack within the past year. Within the utilities sector this figure is 48%. The survey does not specifically detail cyber attacks on energy infrastructure.
The National Cyber Security Centre (NCSC) has warned there is a significant and enduring cyber threat faced by the UK’s critical national infrastructure. As part of its routine operations the NCSC works closely with all areas of the UK’s critical national infrastructure to highlight the cyber threat landscape and associated mitigation activities. As noted in its Annual Review (2025) the NCSC has undertaken a wide range of activities to enhance protections for the UK’s energy infrastructure, including delivering technical advice and guidance on cyber security challenges, working directly with key suppliers on cyber security initiatives, and providing additional support to operators of renewable energy assets. The annual review also notes how NCSC has deepened its understanding of cyber maturity in critical national infrastructure, enabling more targeted interventions and strengthening the UK’s ability to identify and eliminate sophisticated threat actors.
The Cyber Security and Resilience (Network and Information Systems) Bill updates the Network and Information Systems Regulations 2018, which includes essential services in the energy sector. The Bill will improve the cyber security of the energy sector and its infrastructure through better resourced regulators to respond to cyber threats, and a stronger mechanism for government to set priority outcomes for regulators to work to.
The incident reporting framework will also be updated through the Bill, including for the energy sector. Under the existing reporting regime, too many significant incidents do not need to be reported, and this creates a gap in the government’s knowledge and ability to protect the UK from harm. A wider range of significant incidents, such as successful ransomware and pre-positioning will need to be reported under the Bill. A light touch, initial notification will also be required within 24 hours of an incident being discovered will enable quicker and more effective support to be provided to organisations.
The Bill will keep pace with an increasingly digitalised and interconnected energy sector by bringing load controllers into scope of the NIS Regulations as a new essential service, where they meet the threshold, ensuring regulation is focused where the risk is greatest.